Plex is a fork of the Open Source Kodi (previously XBMC) project from 2008, the Plex Media Server has evolved into what amounts to a free, personal Netflix + Spotify that lets you stream home content to devices or browsers with an optional subscription model for added features. Here’s how to use your own self-signed SSL certificates to encrypt connection streams.

Getting Started
I am going to assume you have Plex Media Server already setup, if not there are plenty of other guides to do this. We will focus on creating, installing and using your own self-signed SSL certificates to encrypt connection streams to the outside world. This is aimed for a CentOS7/RHEL7 installation, substitute appropriately for other Linux distributions.

Install the Requirements
We’re going to be using the openssl commands and a Python script to create our certificates.

yum install openssl pyOpenSSL wget -y

Create the SSL certificates
We’re going to do everything else as the plex user inside their home directory.

Create the CSR
Next you’ll create the certificate signing request and be prompted with some questions. You can enter any value you want here, don’t overthink it. The only important thing that must match is the Common Name which should be valid FQDN / hostname of your home machine where any external clients will connect. There are plenty of free services that provide dynamic DNS for this if you don’t have the ability to add an A record somewhere.

openssl req -new -key plex.key -out plex.csr

Strip Out Passphrase
Now we’re going to strip the passphrase out of the keyfile, it will prompt you one more time for the passphrase.

Create the PKCS12 Certificate
Plex requires a pkcs12 certificate to be generated, but we’re going to use a python script for that. You first need your ProcessedMachineIdentifier number from your Plex installation, thanks to the Reddit post that cleared this up.

Obtain your PMI Number
Obtain the long 30-35 character alphanumeric string after ProcessedMachineIdentifier= in the following file:

Let’s assume mine is ProcessedMachineIdentifier=”547bzw4423296e0ba072364f11c84kj3fae632ld5” for this example.

Bring it Home
Now you’ll snag the following Python tool, it will create your pkcs12 certificate as well as generate a long hash that you’ll need for Plex as the “private key” (this is confusing as you’d normally think it refers to your actual private key – not so.

At this point you should have the following items ready – certificate.p12 and the long hash (passphrase) above. Let’s move on to installing this in Plex.

Installing Certificate in Plex
Login to Plex Media Server and go to Settings -> Server -> Network and place the above info like below – the path to the certificate.p12 and the really long hash (passphrase) that was generated earlier. You will also want to put the Common Name you entered during SSL certificate creation here in the custom certificate domain area.

NOTE: Be sure that the permissions are correct on the certificates, they should be owned by the plex user. While you’re there set secure connections to required, at this stage in Plex development all clients should work fine with it.

Lastly make sure you enter the full URL for your home server under Custom Server Access URLs.

Save your settings and restart Plex Media Server. You can also take a look at the logs to make sure everything is humming along – mine were located in /var/lib/plexmediaserver/Library/Application\ Support/Plex\ Media\ Server/Logs/Plex\ Media\ Server.log

systemctl restart plexmediaserver

NOTE: Router and DNS Rebinding
Plex does some interesting trickery with DNS rebinding to make their wildcard plex.tv certificates work along with your own self-signed certificates for connection streams once authentication is finished. If you’re using a popular Open Source router firmware like Tomato you’ll want to apply an option in DNSMASQ to allow for this.

I am running an ASUS RT-N66U on Tomato Shibby, so I use the following settings in Advanced -> DNS/DHCP DNSMASQ configuration (may need to reboot router to take effect).

rebind-domain-ok=/plex.direct/

Verification
You should now be able to refresh your Plex server URL and be prompted to accept a self-signed certificate. Click view and you should see the details you entered earlier when you created it. Happy Plexing!

Hey Arnaud, check that the certificate, files and structure are readable (or ideally owned) by the plex user and that the permission are right. That is the most common cause for this error. Another cause might be the path and password settings.

Sep 20, 2017 sadsfae commented on issue redhat-performance/quads#133 Hey @bengland2 yes, we use both clearpart and zerombr, e.g. zerombr clearpart --all --initlabel I think that Anaconda should have no problem clear…

Sep 19, 2017 sadsfae commented on issue redhat-performance/quads#133 Update here, we believe this is a bug in Anaconda and have retrieved logs from a failed deployment that had LVM cruft on the disks. The following w…